Managing the Internet of (Hackable) Things

The Internet of Things (IoT) promises to revolutionize our businesses and lives. According to tech research firm Gartner Inc.; on an average day this year, 5.5 million new products of all types will be connected to the Internet. By the end of the year, 6.4 billion devices will be networked, an increase of 30 percent from last year, with the number jumping to a staggering 20.8 billion by the end of the decade.

McKinsey & Company’s Global Institute found that the total economic benefit of IoT in 2025 could be from $3.9 trillion to $11.1 trillion per year.1

While this technology will open many opportunities for wealth creation, not all of those opportunities will be legal ones. Just as legitimate businesses and entrepreneurs are working on ways to make money from the Internet of Things, cyber thieves are equally enthusiastic about its potential.

Clearly, the risk is not that criminals will hack into your appliances in order to burn your toast or melt your ice cream, although they will certainly have that capability. The real threat is that they will use weakly protected appliances as portals into your home network, where they will steal personal and financial information stored on your laptop to commit identity theft and banking fraud.

As the FBI recently announced:

“Deficient security capabilities and difficulties for patching vulnerabilities in [IoT] devices, as well as a lack of consumer security awareness, provide cyber actors with opportunities to exploit these devices.2 Criminals can use these opportunities to remotely facilitate attacks on other systems, send malicious and spam emails, steal personal information, or interfere with physical safety. The main IoT risks include:

An exploitation of the Universal Plug and Play protocol (UPnP) to gain access to many IoT devices. [This protocol] describes the process when a device remotely connects and communicates on a network automatically without authentication. UPnP is designed to self-configure when attached to an IP address, making it vulnerable to exploitation. Cyber actors can change the configuration, and run commands on the devices, potentially enabling the devices to harvest sensitive information or conduct attacks against homes and businesses, or engage in digital eavesdropping...